Three Key Ways to Make Supply Chains More Resilient to Cyber Risks

Organizations worldwide are increasingly impacted by cyber incidents occurring at partner organizations. The number of supply-chain cyber incidents is growing, as is the magnitude of their impact.

Large organizations face a 25% probability of experiencing a cyberattack with an average remediation cost of $4.9 million. According to Verizon’s 2024 Data Breach Investigations Report, the number of cyber incidents involving software vulnerabilities increased in 2023 by 180% year-on-year; 15% of these involved a third-party supplier.

The unintended upstream and downstream consequences affecting society are of even greater concern. Such a risk pool may eventually hit the boundaries of what cyber risks can be insured. Unfortunately, only 27% of supply chains are regularly monitored and evaluated by their customers.

Existing approaches for addressing these challenges fall short. Confronted with limited visibility in supply chains, security risk inequality between organizations and misaligned market incentives, gaps in managing cyber risks in supply chains are inevitable. This causes inadequate supply chain cyber risk assessment and poor communication and cooperation among organizations, resulting in severe consequences.

A global IT outage in July 2024 was an inadvertent supply-chain cyber incident by CrowdStrike that caused 8.5 million systems to crash in thousands of organizations worldwide. This was due to a single faulty database content update, resulting in overall societal losses exceeding $10 billion. A deliberately engineered version of such an incident could have been much worse.

Yet, in the aftermath of this global IT outage, the market discourse contains little about managing cyber risks in supply chains. The focus is mostly on tactical discussions on the technical aspects of this particular incident, as well as on speculative accusations among organizations on who should be held accountable for the losses.

As another example, Change Healthcare processes nearly 40% of the 15 billion medical claims made in the US. An attack on Change Healthcare in February 2024 caused a backlog of unpaid claims, putting doctors’ offices and hospitals in an urgent cash flow situation and constraining patients’ access to healthcare. Furthermore, sensitive healthcare data of millions of people was leaked to the Dark web, costing United Healthgroup $2.5 billion in recovery, all from a single point of failure.

Society has already been subjected to smany significant, impactful global supply chain breaches, including the Not Petya attack on Maersk, the Sunburst attack on SolarWinds, the cyberattack on MOVEit and the Okta supply chain campaign. Yet, the worst is possibly to come: many executives expect a catastrophic cyber event within the forthcoming years.

Given the societal impact, better management of supply chain cyber risk is required. Through legislation (e.g., such as the NIS2 in the EU and SEC cybersecurity rules in the US) boards of organizations have been assigned the task of managing these risks. Limited capabilities exist, however, to assess the overall global digital dependencies among organizations and thus the risk and resiliency implications of such dependencies. Increasing supply chain breaches may cause an erosion of trust and confidence and ultimately impede digitalization efforts.

In May 2024, MIT CAMS, in collaboration with the German government’s Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur), convened a pivotal workshop at MIT aimed at establishing a more robust framework for managing cyber risk and enhancing cyber resiliency within supply chains. This workshop brought together a diverse group of thought leaders, including chief information security officers, cyber insurance experts, tech company executives, regulators, market analysts and academics.

The discussions were categorized into these three focus areas:

Emphasizing the importance of cohesive governance structures and collaborative efforts among stakeholders to ensure comprehensive oversight and effective management of cyber risks.

Promoting strategies and practices that enhance the overall resilience of supply chains against cyber threats, ensuring they can withstand and recover from disruptions.

Developing sophisticated risk assessment methodologies and mitigation strategies to proactively identify and address potential vulnerabilities within supply chains.